lavender/server/auth.go

package server

import (
	"database/sql"
	"errors"
	"github.com/1f349/lavender/auth"
	"github.com/1f349/lavender/database"
	"github.com/1f349/lavender/role"
	"github.com/julienschmidt/httprouter"
	"net/http"
	"net/url"
	"strings"
)

type UserHandler func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth)

type UserAuth struct {
	Subject  string
	Factor   auth.Factor
	UserInfo auth.UserInfoFields
}

func (u UserAuth) IsGuest() bool { return u.Subject == "" }

func (u UserAuth) NextFlowUrl(origin *url.URL) *url.URL {
	if u.Factor < auth.FactorAuthorized {
		return PrepareRedirectUrl("/login", origin)
	}
	return nil
}

var ErrAuthHttpError = errors.New("auth http error")

func (h *httpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {
	return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
		var hasRole bool
		if h.DbTx(rw, func(tx *database.Queries) (err error) {
			err = tx.UserHasRole(req.Context(), database.UserHasRoleParams{
				Role:    role.LavenderAdmin,
				Subject: auth.Subject,
			})
			switch {
			case err == nil:
				hasRole = true
			case errors.Is(err, sql.ErrNoRows):
				hasRole = false
				err = nil
			}
			return
		}) {
			return
		}
		if !hasRole {
			http.Error(rw, "403 Forbidden", http.StatusForbidden)
			return
		}
		next(rw, req, params, auth)
	})
}

func (h *httpServer) RequireAuthentication(next UserHandler) httprouter.Handle {
	return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
		if auth.IsGuest() {
			redirectUrl := PrepareRedirectUrl("/login", req.URL)
			http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
			return
		}
		next(rw, req, params, auth)
	})
}

func (h *httpServer) OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {
	return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
		authData, err := h.internalAuthenticationHandler(rw, req)
		if err != nil {
			if !errors.Is(err, ErrAuthHttpError) {
				http.Error(rw, err.Error(), http.StatusInternalServerError)
			}
			return
		}
		if n := authData.NextFlowUrl(req.URL); n != nil && !flowPart {
			http.Redirect(rw, req, n.String(), http.StatusFound)
			return
		}
		next(rw, req, params, authData)
	}
}

func (h *httpServer) internalAuthenticationHandler(rw http.ResponseWriter, req *http.Request) (UserAuth, error) {
	// Delete previous login data cookie
	http.SetCookie(rw, &http.Cookie{
		Name:     "lavender-login-data",
		Path:     "/",
		MaxAge:   -1,
		Secure:   true,
		SameSite: http.SameSiteLaxMode,
	})

	var u UserAuth
	err := h.readLoginAccessCookie(rw, req, &u)
	if err != nil {
		// not logged in
		return UserAuth{}, nil
	}
	return u, nil
}

func PrepareRedirectUrl(targetPath string, origin *url.URL) *url.URL {
	// find start of query parameters in target path
	n := strings.IndexByte(targetPath, '?')
	v := url.Values{}

	// parse existing query parameters
	if n != -1 {
		q, err := url.ParseQuery(targetPath[n+1:])
		if err != nil {
			panic("PrepareRedirectUrl: invalid hardcoded target path query parameters")
		}
		v = q
		targetPath = targetPath[:n]
	}

	// add path of origin as a new query parameter
	orig := origin.Path
	if origin.RawQuery != "" || origin.ForceQuery {
		orig += "?" + origin.RawQuery
	}
	if orig != "" {
		v.Set("redirect", orig)
	}
	return &url.URL{Path: targetPath, RawQuery: v.Encode()}
}
Add oauth support 2024-02-07 01:18:17 +00:00			`package server`

			`import (`
A load more changes 2024-09-13 15:31:40 +01:00			`"database/sql"`
Redesign token authentication 2024-05-31 13:51:44 +01:00			`"errors"`
A load more changes 2024-09-13 15:31:40 +01:00			`"github.com/1f349/lavender/auth"`
Add oauth support 2024-02-07 01:18:17 +00:00			`"github.com/1f349/lavender/database"`
A load more changes 2024-09-13 15:31:40 +01:00			`"github.com/1f349/lavender/role"`
Add oauth support 2024-02-07 01:18:17 +00:00			`"github.com/julienschmidt/httprouter"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`)`

			`type UserHandler func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth)`

			`type UserAuth struct {`
A load more changes 2024-09-13 15:31:40 +01:00			`Subject string`
Start new auth interfaces 2024-10-06 21:30:39 +01:00			`Factor auth.Factor`
A load more changes 2024-09-13 15:31:40 +01:00			`UserInfo auth.UserInfoFields`
Add oauth support 2024-02-07 01:18:17 +00:00			`}`

Improve page templates and custom template loading 2024-05-16 03:06:10 +01:00			`func (u UserAuth) IsGuest() bool { return u.Subject == "" }`
Add oauth support 2024-02-07 01:18:17 +00:00
A load more changes 2024-09-13 15:31:40 +01:00			`func (u UserAuth) NextFlowUrl(origin url.URL) url.URL {`
Start new auth interfaces 2024-10-06 21:30:39 +01:00			`if u.Factor < auth.FactorAuthorized {`
			`return PrepareRedirectUrl("/login", origin)`
A load more changes 2024-09-13 15:31:40 +01:00			`}`
			`return nil`
			`}`

Redesign token authentication 2024-05-31 13:51:44 +01:00			`var ErrAuthHttpError = errors.New("auth http error")`

A load more changes 2024-09-13 15:31:40 +01:00			`func (h *httpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {`
Add oauth support 2024-02-07 01:18:17 +00:00			`return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {`
A load more changes 2024-09-13 15:31:40 +01:00			`var hasRole bool`
Start adding sqlc and migration support 2024-05-17 21:40:31 +01:00			`if h.DbTx(rw, func(tx *database.Queries) (err error) {`
A load more changes 2024-09-13 15:31:40 +01:00			`err = tx.UserHasRole(req.Context(), database.UserHasRoleParams{`
			`Role: role.LavenderAdmin,`
			`Subject: auth.Subject,`
			`})`
			`switch {`
			`case err == nil:`
			`hasRole = true`
			`case errors.Is(err, sql.ErrNoRows):`
			`hasRole = false`
			`err = nil`
			`}`
Add oauth support 2024-02-07 01:18:17 +00:00			`return`
			`}) {`
			`return`
			`}`
A load more changes 2024-09-13 15:31:40 +01:00			`if !hasRole {`
Add oauth support 2024-02-07 01:18:17 +00:00			`http.Error(rw, "403 Forbidden", http.StatusForbidden)`
			`return`
			`}`
			`next(rw, req, params, auth)`
			`})`
			`}`

A load more changes 2024-09-13 15:31:40 +01:00			`func (h *httpServer) RequireAuthentication(next UserHandler) httprouter.Handle {`
Fix a bunch more compile breaking issues 2024-10-05 21:08:02 +01:00			`return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {`
Add oauth support 2024-02-07 01:18:17 +00:00			`if auth.IsGuest() {`
			`redirectUrl := PrepareRedirectUrl("/login", req.URL)`
			`http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)`
			`return`
			`}`
			`next(rw, req, params, auth)`
			`})`
			`}`

Fix a bunch more compile breaking issues 2024-10-05 21:08:02 +01:00			`func (h *httpServer) OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {`
Add oauth support 2024-02-07 01:18:17 +00:00			`return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {`
Fix a bunch more compile breaking issues 2024-10-05 21:08:02 +01:00			`authData, err := h.internalAuthenticationHandler(rw, req)`
Add oauth support 2024-02-07 01:18:17 +00:00			`if err != nil {`
Redesign token authentication 2024-05-31 13:51:44 +01:00			`if !errors.Is(err, ErrAuthHttpError) {`
			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`}`
Add oauth support 2024-02-07 01:18:17 +00:00			`return`
			`}`
Fix a bunch more compile breaking issues 2024-10-05 21:08:02 +01:00			`if n := authData.NextFlowUrl(req.URL); n != nil && !flowPart {`
			`http.Redirect(rw, req, n.String(), http.StatusFound)`
			`return`
			`}`
			`next(rw, req, params, authData)`
Add oauth support 2024-02-07 01:18:17 +00:00			`}`
			`}`

A load more changes 2024-09-13 15:31:40 +01:00			`func (h httpServer) internalAuthenticationHandler(rw http.ResponseWriter, req http.Request) (UserAuth, error) {`
Redesign token authentication 2024-05-31 13:51:44 +01:00			`// Delete previous login data cookie`
			`http.SetCookie(rw, &http.Cookie{`
			`Name: "lavender-login-data",`
			`Path: "/",`
			`MaxAge: -1,`
			`Secure: true,`
			`SameSite: http.SameSiteLaxMode,`
			`})`

Improve page templates and custom template loading 2024-05-16 03:06:10 +01:00			`var u UserAuth`
Redesign token authentication 2024-05-31 13:51:44 +01:00			`err := h.readLoginAccessCookie(rw, req, &u)`
Improve page templates and custom template loading 2024-05-16 03:06:10 +01:00			`if err != nil {`
			`// not logged in`
			`return UserAuth{}, nil`
Add oauth support 2024-02-07 01:18:17 +00:00			`}`
Improve page templates and custom template loading 2024-05-16 03:06:10 +01:00			`return u, nil`
Add oauth support 2024-02-07 01:18:17 +00:00			`}`

			`func PrepareRedirectUrl(targetPath string, origin url.URL) url.URL {`
			`// find start of query parameters in target path`
			`n := strings.IndexByte(targetPath, '?')`
			`v := url.Values{}`

			`// parse existing query parameters`
			`if n != -1 {`
			`q, err := url.ParseQuery(targetPath[n+1:])`
			`if err != nil {`
			`panic("PrepareRedirectUrl: invalid hardcoded target path query parameters")`
			`}`
			`v = q`
			`targetPath = targetPath[:n]`
			`}`

			`// add path of origin as a new query parameter`
			`orig := origin.Path`
			`if origin.RawQuery != "" \|\| origin.ForceQuery {`
			`orig += "?" + origin.RawQuery`
			`}`
			`if orig != "" {`
			`v.Set("redirect", orig)`
			`}`
			`return &url.URL{Path: targetPath, RawQuery: v.Encode()}`
			`}`